Today I have a pleasure to present you my first WinDbg extension lld 🙂 For now it contains only one command: !injectdll, which allows you to inject a DLL into the process being debugged. There is a similar command in the sdbgext extension, but it works only for 32-bit processes. The usage is extremly simple – just remember to load the extension in the correct bitness (32-bit version for 32-bit processes). Example session may look as follows:
0:000> .load lld 0:000> !injectdll c:\temp\Test.exe ModLoad: 00000001`3f820000 00000001`3f924000 c:\temp\Test.exe ModLoad: 000007fe`fd960000 000007fe`fd98e000 C:\Windows\system32\IMM32.DLL ModLoad: 000007fe`ff410000 000007fe`ff519000 C:\Windows\system32\MSCTF.dll (bac.5a0): Break instruction exception - code 80000003 (first chance) ntdll!LdrpDoDebuggerBreak+0x30: 00000000`778c7800 cc int 3
How it works
The logic behind this extension is quite simple and relies on the thread hijacking mechanism. I start the injection process by incrementing the suspend count for all the process threads except the current one. Then, I allocate a block of memory in the target process for storing the DLL name and the payload. I save the current thread context to a local variable and change the value of the registers required by the payload. Finally I resume the current thread which executes the payload and breaks back into the debugger, where I can decrement the suspend count of all the other threads and restore the hijacked thread context.
The payload is just four bytes long for 32bit and three bytes long for 64bit:
; x64 0x00000000 call rax 0x00000002 int3 ; x86 0x00000000 push ecx 0x00000001 call eax 0x00000003 int3
I set the eax/rax registry to the address of the
LoadLibraryA and the ecx/rcx registry to the address of the DLL name. As you can see, after the call the thread executes the breakpoint instruction (
int3) and thus gets back to the debugger.
I know the !injectdll command is probably not the most useful one, but in the next post I will show you an interesting way we could profit from it. So stay tuned 🙂